Re: CVE-2008-id Request -- ssmtp -- standardise() -- Buffer overflow

["Steven M. Christey" <coley () linus mitre org>]

> ----- "Jan Lieskovsky" <jlieskov () redhat com> wrote:
>
> > Hi Steve, vendors,
> >
> >    Brendan Boerner reported:
> >    [1] https://bugs.launchpad.net/ubuntu/+source/ssmtp/+bug/282424
> >
> > a deficiency in the way ssmtp removed trailing '\n' sequence
> > by processing lines beginning with a leading dot. A local user,
> > could send a specially-crafted e-mail message via ssmtp send-only
> > sendmail emulator, leading to ssmtp executable denial of service (exit
> > with:
> > ssmtp: standardise() -- Buffer overflow). Different vulnerability
> > than CVE-2008-3962.


Use CVE-2008-7258

- Steve



> > References:
> >    [2] https://bugzilla.redhat.com/show_bug.cgi?id=582236
> >    [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3962
> >    [4] http://patch-tracker.debian.org/package/ssmtp/2.62-3
> >    [5]
> > http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041012.html
> >    [6]
> > http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041009.html
> >    [7]
> > http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041119.html
> >
> > Debian Linux distribution patch:
> >    [8]
> > http://patch-tracker.debian.org/patch/series/view/ssmtp/2.62-3/345780-standardise-bufsize
> >
> > Public PoC (from
> > https://bugzilla.redhat.com/show_bug.cgi?id=582236#c0):
> >    [9] ( 0. Install & configure ssmtp, of course )
> >          1. (echo -n . ; for i in {1..2050} ; do echo -n $i ; done) |
> > mail root
> >
> > Couldn't find CVE-2008-XXXX ssmtp identifier for this
> > (http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ssmtp).
> >
> > Steve, could you allocate one?
> >
> > Thanks && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team